<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 04/07/2015 09:03 AM, Miroslav Grepl
wrote:<br>
</div>
<blockquote cite="mid:55238134.2060108@redhat.com" type="cite">
<pre wrap="">-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 04/06/2015 08:33 PM, Nusenu wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hi,
what are the actually allowed TCP ports processes in the tor_t
domain are allowed to bind to? (with tor_bind_all_unreserved_ports
--> off tor_can_network_relay --> on)
semanage gives me: tor_port_t tcp 6969, 9001, 9030,
9050, 9051, 9150
but tor can bind to 80,443 or 9000 without problems. (but for
example 5000 is not allowed -> AVCs)</pre>
</blockquote>
</blockquote>
If you need some custom port for tor binding and you won't use
'tor_bind_all_unreserved_ports' boolean, you could use semanage tool
to label your custom port as tor_port_t.<br>
Example: <code>semanage port -a -t tor_port_t -p tcp 5000<br>
</code>
<blockquote cite="mid:55238134.2060108@redhat.com" type="cite">
<blockquote type="cite">
<pre wrap="">
Used policy version: selinux-policy-targeted-3.13.1-23.el7.noarch
Is there already a boolean that allows enabling to arbitrary ports
as suggested here:
<a class="moz-txt-link-freetext" href="https://bugzilla.redhat.com/show_bug.cgi?id=544546#c5">https://bugzilla.redhat.com/show_bug.cgi?id=544546#c5</a>
</pre>
</blockquote>
</blockquote>
<blockquote cite="mid:55238134.2060108@redhat.com" type="cite">
<pre wrap="">
You can use sesearch to check it
$ sesearch -A -s tor_t -p tcp_socket -p name_bind -C
Or you can use sepolicy which gets you what you want to see
$ sepolicy network -d tor_t
</pre>
<blockquote type="cite">
<pre wrap="">
thanks, Nusenu -- selinux mailing list
<a class="moz-txt-link-abbreviated" href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a>
<a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/selinux">https://admin.fedoraproject.org/mailman/listinfo/selinux</a>
</pre>
</blockquote>
<pre wrap="">
- --
Miroslav Grepl
Software Engineering, SELinux Solutions
Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJVI4ErAAoJENrcHks50T0J+8IH/3ca/bcT//RKsxjK8GFC7BMt
WXR3c7KpxUk2Niy99GQo8fBR2FIJ0yfH2Y4TaiH9oVdew3odr7mEn4vBdya1C9A6
v283qSr9/BlPHvBk9msjjtRKryagi81XnU5C1EHF6eJQScyfnxE2pLuSBD3q2oZa
asawW1I0iwkri6BwWq9D5i40ISf4gqoHV9zA9j408sdahS8h38sq0PVrwVMMxakz
7Arlj33aXOij08ZWiISjB+sch0UD1zoX3jfiLiOMbTqHNuRisUz0PUAFCjoF7i5y
TOXTJE+kXVlnzqWPeYrWBl3Gak+QaoGx7HXGk7Kc1f++bfSl3plSyGH9xkxmimY=
=uVaE
-----END PGP SIGNATURE-----
--
selinux mailing list
<a class="moz-txt-link-abbreviated" href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a>
<a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/selinux">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Thank you.
--
Lukas Vrabec
SELinux Solutions
Red Hat, Inc.</pre>
</body>
</html>